Detects inbound email messages that impersonate legitimate file-sharing services by including external SharePoint or OneDrive links and using deceptive link text that mirrors the sender's display name. The rule triggers when an inbound message subject contains indicative terms like 'shared' or 'invite', and the body includes phrases such as 'shared a file with you', 'shared with you', or 'invited you to access a file' while excluding 'invited you to edit' to avoid legitimate collaboration invites. It then analyzes links within the thread: for each link, if the URL's domain is not among tenant-approved domains and the root domain is sharepoint.com or 1drv.ms (or mimecastprotect.com with a .sharepoint.com reference in query parameters), and the link display text is not 'Open'. If any such link’s display text exactly matches the sender’s display name, the rule raises a potential credential phishing alert. The detection is categorized as Credential Phishing with tactics that include Impersonation (brand) and Social engineering, using content analysis (subject/body) combined with URL and sender analysis to identify suspicious impersonation attempts involving external SharePoint/OneDrive links.